AppArmor Status and Management Guide
Table of Contents
1. [Introduction to AppArmor](#introduction-to-apparmor) 2. [AppArmor Status Overview](#apparmor-status-overview) 3. [Viewing AppArmor Status](#viewing-apparmor-status) 4. [Profile Modes and States](#profile-modes-and-states) 5. [Commands and Tools](#commands-and-tools) 6. [Configuration Files](#configuration-files) 7. [Troubleshooting](#troubleshooting) 8. [Best Practices](#best-practices)Introduction to AppArmor
AppArmor (Application Armor) is a Linux kernel security module that implements mandatory access control (MAC) to restrict programs' capabilities. It confines programs to a limited set of resources through security profiles that define what files, paths, network ports, and other system resources an application can access.
Key Features
| Feature | Description | |---------|-------------| | Path-based access control | Controls access based on file paths rather than inode numbers | | Complain mode | Allows violations but logs them for profile development | | Enforce mode | Actively blocks unauthorized access attempts | | Profile inheritance | Child processes inherit parent profiles with modifications | | Network access control | Restricts network socket creation and usage | | Capability control | Limits Linux capabilities available to processes |
System Integration
AppArmor integrates with the Linux security framework through: - Linux Security Modules (LSM) interface - Filesystem extended attributes - Proc filesystem interfaces - Systemd service management - Package management integration
AppArmor Status Overview
The AppArmor status provides comprehensive information about the current state of the security system, including loaded profiles, their modes, and system-wide configuration.
Status Components
| Component | Description | Purpose | |-----------|-------------|---------| | Module Status | Whether AppArmor kernel module is loaded | Core functionality availability | | Profile Count | Number of loaded profiles | System coverage scope | | Profile Modes | Enforce, complain, or unconfined states | Security posture per application | | Process Status | Running processes and their profile assignments | Real-time security state | | Kernel Interface | Available AppArmor kernel features | Capability assessment |
Viewing AppArmor Status
Basic Status Command
`bash
sudo apparmor_status
`
Command Explanation:
- sudo: Required for accessing AppArmor kernel interfaces
- apparmor_status: Primary tool for displaying comprehensive AppArmor information
Example Output:
`
apparmor module is loaded.
54 profiles are loaded.
52 profiles are in enforce mode.
/sbin/dhclient
/usr/bin/firefox
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/sbin/tcpdump
2 profiles are in complain mode.
/usr/bin/example-app
/usr/sbin/test-daemon
0 processes have profiles defined but not loaded.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
`
Detailed Status Information
`bash
sudo aa-status --verbose
`
Command Options:
| Option | Description | Use Case |
|--------|-------------|----------|
| --verbose | Show detailed process information | Debugging and monitoring |
| --pretty-print | Format output for better readability | Documentation and reports |
| --json | Output in JSON format | Automation and scripting |
Alternative Status Commands
`bash
Check if AppArmor is enabled
sudo aa-enabledShow only profile counts
sudo apparmor_status | head -5List all loaded profiles
sudo apparmor_status | grep -A 100 "profiles are loaded"Profile Modes and States
Profile Modes
AppArmor profiles operate in different modes that determine their behavior:
| Mode | Symbol | Behavior | Use Case | |------|--------|----------|----------| | Enforce | (none) | Actively blocks violations | Production systems | | Complain | (complain) | Logs violations without blocking | Profile development | | Audit | (audit) | Enhanced logging of allowed actions | Security monitoring | | Kill | (kill) | Terminates process on violation | High-security environments | | Unconfined | (unconfined) | No restrictions applied | Troubleshooting |
Profile States
`bash
View profiles by mode
sudo aa-status | grep -A 20 "enforce mode" sudo aa-status | grep -A 20 "complain mode"Mode Management Commands
| Command | Purpose | Example |
|---------|---------|---------|
| aa-enforce | Set profile to enforce mode | sudo aa-enforce /usr/bin/firefox |
| aa-complain | Set profile to complain mode | sudo aa-complain /usr/bin/firefox |
| aa-disable | Disable profile | sudo aa-disable /usr/bin/firefox |
| aa-audit | Enable audit mode | sudo aa-audit /usr/bin/firefox |
Commands and Tools
Core AppArmor Commands
#### apparmor_status
Purpose: Display comprehensive AppArmor system status
Syntax: apparmor_status [options]
`bash
Basic status
sudo apparmor_statusVerbose output with process details
sudo apparmor_status --verbosePretty formatted output
sudo apparmor_status --pretty-print#### aa-status
Purpose: Modern alternative to apparmor_status with additional features
Syntax: aa-status [options]
`bash
Standard status display
sudo aa-statusJSON formatted output for scripting
sudo aa-status --jsonShow enabled profiles only
sudo aa-status --enabled#### aa-enabled
Purpose: Check if AppArmor is enabled system-wide
Syntax: aa-enabled
`bash
Check AppArmor status
sudo aa-enabled && echo "AppArmor is enabled" || echo "AppArmor is disabled"Profile Management Commands
#### aa-enforce
Purpose: Set profiles to enforce mode
Syntax: aa-enforce [profile_path]
`bash
Enforce specific profile
sudo aa-enforce /usr/bin/firefoxEnforce all profiles in directory
sudo aa-enforce /etc/apparmor.d/*#### aa-complain
Purpose: Set profiles to complain mode for development
Syntax: aa-complain [profile_path]
`bash
Set profile to complain mode
sudo aa-complain /usr/bin/example-appEnable complain mode for debugging
sudo aa-complain /usr/sbin/nginx#### aa-disable
Purpose: Disable AppArmor profiles
Syntax: aa-disable [profile_path]
`bash
Disable specific profile
sudo aa-disable /usr/bin/problematic-appTemporarily disable for troubleshooting
sudo aa-disable /usr/lib/firefox/firefoxAdvanced Diagnostic Commands
#### aa-unconfined
Purpose: Show processes that could have profiles but don't
Syntax: aa-unconfined [options]
`bash
Show unconfined processes with network access
sudo aa-unconfined --paranoidShow processes with open network sockets
sudo aa-unconfined --with-netstat#### aa-notify
Purpose: Display AppArmor notification messages
Syntax: aa-notify [options]
`bash
Show recent AppArmor denials
sudo aa-notify -s 1 -vMonitor denials in real-time
sudo aa-notify -p -f /var/log/audit/audit.logConfiguration Files
Main Configuration Locations
| Path | Purpose | Content Type |
|------|---------|--------------|
| /etc/apparmor.d/ | Profile definitions | Security policies |
| /etc/apparmor/ | AppArmor configuration | System settings |
| /sys/kernel/security/apparmor/ | Kernel interface | Runtime information |
| /proc/*/attr/current | Process attributes | Current profile assignments |
Profile Directory Structure
`
/etc/apparmor.d/
├── abstractions/ # Reusable profile components
├── disable/ # Disabled profiles (symlinks)
├── force-complain/ # Forced complain mode profiles
├── local/ # Local customizations
├── tunables/ # Variable definitions
├── usr.bin.firefox # Firefox profile
├── usr.sbin.nginx # Nginx profile
└── usr.sbin.tcpdump # TCPdump profile
`
Key Configuration Files
#### /etc/apparmor/parser.conf
`bash
AppArmor parser configuration
Turn creating/updating of the cache on by default
write-cacheTurn off caching entirely
skip-cache
Only update the cache if it's older than the profile
conditional-cache
Turn on AppArmor debugging
debug
#### Profile File Example
`bash
/etc/apparmor.d/usr.bin.example
#include/usr/bin/example {
#include
capability net_bind_service,
/usr/bin/example mr, /etc/example/ r, /var/log/example.log w, /var/lib/example/ rw, /tmp/ r, /tmp/ rw,
network inet stream,
network inet dgram,
}
`
Runtime Information Files
#### Kernel Interface Files
| File | Purpose | Access |
|------|---------|--------|
| /sys/kernel/security/apparmor/profiles | Loaded profiles list | Read-only |
| /sys/kernel/security/apparmor/features/ | Available features | Read-only |
| /sys/kernel/security/apparmor/.load | Profile loading interface | Write-only |
| /sys/kernel/security/apparmor/.replace | Profile replacement | Write-only |
| /sys/kernel/security/apparmor/.remove | Profile removal | Write-only |
Checking Configuration Status
`bash
View loaded profiles directly from kernel
sudo cat /sys/kernel/security/apparmor/profilesCheck AppArmor features
sudo find /sys/kernel/security/apparmor/features -type f -exec echo {} \; -exec cat {} \;Verify profile syntax
sudo apparmor_parser -Q /etc/apparmor.d/usr.bin.firefoxTroubleshooting
Common Status Issues
#### AppArmor Not Loaded
Symptoms:
`bash
$ sudo apparmor_status
apparmor module is not loaded.
`
Solutions:
`bash
Check if module is available
sudo modprobe apparmorEnable AppArmor service
sudo systemctl enable apparmor sudo systemctl start apparmorVerify kernel support
grep -i apparmor /boot/config-$(uname -r)#### Profile Loading Failures
Symptoms:
`bash
$ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.example
AppArmor parser error for /etc/apparmor.d/usr.bin.example
`
Diagnostic Commands:
`bash
Test profile syntax
sudo apparmor_parser -Q /etc/apparmor.d/usr.bin.exampleDebug profile loading
sudo apparmor_parser -v -r /etc/apparmor.d/usr.bin.exampleCheck for syntax errors
sudo apparmor_parser --preprocess /etc/apparmor.d/usr.bin.exampleLog Analysis
#### Denial Messages
`bash
View AppArmor denials in system logs
sudo dmesg | grep -i apparmorCheck audit logs
sudo ausearch -m AVC -ts recentMonitor real-time denials
sudo tail -f /var/log/audit/audit.log | grep -i apparmor#### Log Message Types
| Message Type | Example | Meaning |
|--------------|---------|---------|
| DENIED | DENIED operation="open" | Access blocked by profile |
| ALLOWED | ALLOWED operation="read" | Access permitted (audit mode) |
| AUDIT | AUDIT operation="exec" | Audited action in profile |
Performance Issues
#### Profile Cache Problems
`bash
Clear AppArmor cache
sudo rm -rf /var/cache/apparmor/Rebuild cache
sudo systemctl reload apparmorCheck cache status
sudo ls -la /var/cache/apparmor/#### Memory Usage
`bash
Check AppArmor memory usage
sudo cat /sys/kernel/security/apparmor/apparmorfs/statsProfile memory consumption
sudo grep -r VmSize /proc/*/status | grep apparmorBest Practices
Regular Status Monitoring
#### Automated Status Checks
`bash
#!/bin/bash
AppArmor status monitoring script
LOG_FILE="/var/log/apparmor-status.log" DATE=$(date '+%Y-%m-%d %H:%M:%S')
echo "[$DATE] AppArmor Status Check" >> $LOG_FILE sudo apparmor_status >> $LOG_FILE 2>&1
Check for unconfined processes
UNCONFINED=$(sudo aa-unconfined 2>/dev/null | wc -l) if [ $UNCONFINED -gt 0 ]; then echo "[$DATE] Warning: $UNCONFINED unconfined processes found" >> $LOG_FILE fiCheck for complain mode profiles
COMPLAIN=$(sudo apparmor_status | grep "complain mode" | head -1 | awk '{print $1}') if [ "$COMPLAIN" != "0" ]; then echo "[$DATE] Info: $COMPLAIN profiles in complain mode" >> $LOG_FILE fiStatus Reporting
#### Daily Status Report
`bash
#!/bin/bash
Generate daily AppArmor report
REPORT_DATE=$(date '+%Y-%m-%d') REPORT_FILE="/tmp/apparmor-report-$REPORT_DATE.txt"
{ echo "AppArmor Daily Status Report - $REPORT_DATE" echo "============================================" echo echo "System Status:" sudo apparmor_status echo echo "Unconfined Processes:" sudo aa-unconfined --paranoid echo echo "Recent Denials:" sudo dmesg | grep -i apparmor | tail -10 } > $REPORT_FILE
echo "Report generated: $REPORT_FILE"
`
Security Maintenance
#### Profile Validation
`bash
Validate all profiles
for profile in /etc/apparmor.d/*; do if [ -f "$profile" ]; then echo "Checking $profile" sudo apparmor_parser -Q "$profile" || echo "ERROR in $profile" fi done#### Status Summary Table
| Check Type | Command | Frequency | Purpose |
|------------|---------|-----------|---------|
| Basic Status | sudo apparmor_status | Daily | Overall system health |
| Profile Validation | sudo apparmor_parser -Q | Weekly | Profile integrity |
| Unconfined Processes | sudo aa-unconfined | Daily | Security coverage |
| Denial Analysis | sudo dmesg \| grep apparmor | As needed | Troubleshooting |
| Performance Check | cat /sys/kernel/security/apparmor/apparmorfs/stats | Monthly | System impact |
Integration with System Monitoring
#### Nagios/Icinga Check
`bash
#!/bin/bash
Nagios check for AppArmor status
STATE_OK=0 STATE_WARNING=1 STATE_CRITICAL=2 STATE_UNKNOWN=3
Check if AppArmor is loaded
if ! sudo apparmor_status >/dev/null 2>&1; then echo "CRITICAL: AppArmor module not loaded" exit $STATE_CRITICAL fiGet profile counts
TOTAL=$(sudo apparmor_status | grep "profiles are loaded" | awk '{print $1}') ENFORCE=$(sudo apparmor_status | grep "profiles are in enforce mode" | awk '{print $1}') COMPLAIN=$(sudo apparmor_status | grep "profiles are in complain mode" | awk '{print $1}')Check for minimum profiles
if [ "$TOTAL" -lt 10 ]; then echo "WARNING: Only $TOTAL profiles loaded" exit $STATE_WARNING fiCheck complain mode ratio
COMPLAIN_RATIO=$((COMPLAIN * 100 / TOTAL)) if [ "$COMPLAIN_RATIO" -gt 20 ]; then echo "WARNING: $COMPLAIN_RATIO% profiles in complain mode" exit $STATE_WARNING fiecho "OK: $TOTAL profiles loaded ($ENFORCE enforce, $COMPLAIN complain)"
exit $STATE_OK
`
This comprehensive guide provides detailed information about viewing and managing AppArmor status, including commands, configuration files, troubleshooting procedures, and best practices for maintaining a secure AppArmor implementation.